With mobile payments, security teams must move quickly

For many years, security managers have adapted as users wanted and needed access to new
technologies. The next new technology security managers will need to embrace could well be mobile
payments. Employees may begin to ask if they can make payments on their mobile devices -- the same
devices
that access corporate information.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The bottom line is to show you are considering embracing this
technology, rather than having to control it after widespread adoption.

Mobile
payment technology will require additional security implementations. Established security
procedures, such as the corporate risk assessment process, will still need to be followed, but
enabling mobile payments by employees will require new policies, adaptations of current security
tools, and possibly the purchase of new security technologies that are just now being
developed.

Mobile payment systemsMobile payment systems are systems that enable a user to pay out and receive agreed amounts of
money using their mobile device, such as their smartphone. Mobile payment systems are often
classified into two broad categories:

Payment systems that utilize a mobile network to initiate or authorise a transaction;

Contactless systems that use a mobile phone in lieu of a traditional credit card.

When a mobile payment system is installed on a mobile phone, it raises the value of that device
to attackers. Previously, mobile phones were targeted for their resale value or, in the case of
smartphones, for the data stored on them. But with a mobile payment system installed, online
payment details are added to the data on the device, which could give it a much higher value to a
hacker than any other item the individual carries -- perhaps even more than their wallet.

Best practices for enabling mobile paymentsAs employees begin considering making mobile
payments, security professionals should undertake a risk assessment of mobile payment systems.
Here are some tips, based on my own experience, about the best way to handle mobile payments, both
before and after the risk assessment process.

Consider embracing mobile payment systems from the outset. Some mobile payment systems are
going to end up on the mobile phone estate somehow. Get involved now by announcing you will provide
detailed information about mobile payments in the near future. The bottom line is to show you are
considering embracing
this technology, rather than having to control it after widespread adoption.

Evaluate different mobile payment systems and the risks associated with each, and determine
which is best for your organisation. In some cases, this may mean determining which system is not
the worst for your organisation.

Promote dialogue with users who are already using mobile payments and find out their
preferences, or what they would like to do with mobile payments.

Once user preferences have been noted and a mobile payment system has been selected, provide
users with a roadmap -- and do it soon. Otherwise, some users will find their own solutions faster
than you would like, as happened with the entry of the iPad brought in by executives who then told
the IT department to find a way to make iPads work on the corporate network.

More on mobile device
security controls

Securing mobile payment data on devicesBecause mobile devices with mobile payment systems have especially high value to hackers, a
full range of security controls should be implemented on these devices. The technical controls for
mobile devices are straight forward since they are led by advances in control development. However,
most new smart devices sold today do not have root access. This means, for example, you will likely
need to gain root access before you can install controls such as a firewall.

Another vital control that should be implemented on mobile
devices is encryption. The point to remember here is it is far easier to recover data from most
non-hard disk technologies (like memory sticks, memory cards and flash drives used in smart
devices) than on a smartphone. The only way to reduce the likelihood of data recovery is not to
rely on the built-in software device wipe functionality, but to encrypt the data and then wipe the
device.

In summary, the technical controls to utilise on mobile devices that may be making mobile
payments are:

There are two other useful technical controls that are not yet mature enough to use, but are
worth exploring for devices supporting mobile payments. First, dual SIM card devices may offer a
safer way of storing payment data. The personal SIM card could simply be removed when necessary.
Second, virtualisation
on mobile devices could allow the virtualised business operating system to be deleted without
disrupting the personal operating system, its apps and its data. Both of these technologies are
likely to become viable options in the next 12 to 18 months.

About the author:Sarb Sembhi, CISSP-ISSAP, GCIH, GAWN, is the director of consulting services at Incoming Thought. His is a
past President of the London Chapter of ISACA, and the founder of its Security Advisory Group, and
current Chair of the Europe and Africa Region Government & Regulatory Authority
Sub-Committee.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Google is the latest of the tech giants hiring Wall Street hotshots. The CIO lesson? Partner with your CFO if you want to get ahead. Also in Searchlight: Facebook turns Messenger into an ecosystem; Twitter faces a gender bias lawsuit.